JPH01134601A - Compound calculater apparatus and operation monitoring and error correction thereof - Google Patents

Abstract

PURPOSE: To discover a fault in an early stage by detecting the fault by the evaluation of intermediate information after the end of a monitored arithmetic cycle. CONSTITUTION: A generator 22 generates the intermediate information based on the data of the program sequence of an arithmetic unit 50 during the operation of computers A-C and sends it to the other computer. Status information generated in the respective computers is sent to the other computer and a target value is generated from the generator 24 simultaneously. Its own target value and the status information from the outside are compared in a comparator 26 for each computer and a program is continued when they match. When they do not match, the control signal generator 28 of the other computer is excited, the present one is initialized and the other is reset. Thus, the intermediate information of an opposite party is mutually checked, and corresponding to the matching with the target value, both computers perform the next arithmetic cycle.

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention is applicable to industrial applications such as anti-lock systems, air bags, etc.
A method for monitoring and error correcting the operation of a computer in a compound computer device for in-vehicle safety devices such as safety belts, wherein the computers are connected and synchronized with each other via data lines and control lines, and the operations of the computers. Regarding monitoring and error correction methods.

PRIOR ART Multicomputer computing devices are necessary to quickly process large amounts of data within a short period of time (such large amounts of data may be used to monitor, control, or adjust processes, or when processing large amounts of data from large data files). (occurs during data recall). In this case, since many computers execute one task, data is exchanged between these computers.

Such a compound computer device is applied, for example, to control in-vehicle safety systems such as anti-lock systems and forward leaning prevention systems. Examples of forward leaning prevention systems include airbags (airbags) that automatically inflate when a vehicle collides with an obstacle, and collision tension safety belt clamps.

The need to process large amounts of data arises, for example, in the case of anti-sliding systems, in which the deceleration value changes when a car collides with an obstacle in the form of a curve # (crash curve) with a maximum and a minimum value. This occurs when the activation point of the anti-leaning system must take place at a point that is predetermined by trial.

The need to process data in as short a time as possible also arises from the short time between the moment when the vehicle collides with an obstacle and the moment when a passenger may be injured. Changes in the deceleration curve must be detected without any gaps within this short period of time (ゝ.

As well as ensuring that the anti-leaning device responds correctly, it is also important to ensure that it does not malfunction. When the forward leaning prevention device is an airbag, malfunction of the airbag may block visibility at high speeds or cause the driver to panic, causing great damage.

For example, the program sequence of one or more computers of a complex computing device may be disrupted by disturbances such as radio disturbances caused by transmitting equipment, fluctuations in power supply voltage, power supply failures, or the intrusion of switching pulses through the circuit network. There is. If these computers are components of one safety device, this failure may cause the safety device to malfunction even if it does not operate when required. Even in the case of complex computer systems in applications where safety is not very important, such as for example machine tools, such failures can result in significant material damage.

In order to prevent damage caused by such failures, it is necessary to monitor the operation of the computers in the complex computer system and take measures when a failure is detected. Such complex computing devices are very complex and the calculation speed is not high enough, so that corrective operations may already be too slow by the time a fault appears externally.

Problems to be Solved by the Invention An object of the present invention is to provide a method for monitoring the operation of a computer in a compound computer device and correcting errors (and thus detecting the occurrence of a failure at an early stage and preventing damage caused by the failure). and correct the errors that have occurred in such a way that the subsequent operation of the computer is not impaired as much as possible).

Means for Solving the Problem The above problem is solved by the configuration described in the characterizing part of claim 1.

By evaluating intermediate information about the program sequence or the result of an operation, faults can be detected after the end of the monitored operation cycle and thus in many cases significantly earlier than at the end of the program. can. The basis of this idea is that failures occur with the same probability in the first calculation cycle, the last calculation cycle, and intermediate cycles, so by monitoring each calculation cycle up to the last calculation cycle, failures can be detected. The key is to be able to detect it early.

The means by which computers monitor each other means that external disturbances do not affect computers that are located far apart in the same way, and do not impede each other's ability to detect each other's failures. Based on consideration. Such disturbances due to disturbances can be eliminated by forming the intermediate information and the target values with which these intermediate information are compared in a different way.

Early detection of faults at the same time forms a prerequisite for preventing damage caused by faults and correcting errors that have occurred as quickly as possible. As long as the failure occurs within the last monitored operation cycle of a program,
Damage can be prevented by corresponding control commands. However, in the case of a failure in the last program cycle, for example, even if an operational instruction is introduced that leads to the failure, such an operational instruction cannot be carried out by a control instruction (if the operational instruction is executed for the first time at a later point in time). ) can be prevented.

Damage caused by failures can be prevented by suppressing subsequent computational cycles.

To correct the error, at least the deviating calculator is reset, regardless of the form and extent of the error. Starting from the consideration that the erroneous computer will again work without problems after the fault has disappeared, the method described above is the simplest method in which the correct result can be obtained by simply repeating the arithmetic operations. If the fault is detected early and the reset is performed early as well, no interruptions occur because the faulty program can take into account previously occurring data.

However, even if a failure occurs for the first time at a not-too-early point in the program, the data will continue to be processed at the earliest possible point, so that the gaps created can be filled.

Depending on how many calculation cycles were performed in a program before the failure occurred, the deviant computer repeats one or more calculation cycles.

In one embodiment, after a predetermined number of calculation cycles have been performed, the intermediate information is transmitted and received in a first period and written and self-transmitted in a second period following the first period. compared with the target value.

In this specification, calculation cycles are program steps in which intermediate information is changed in such a way that the correct implementation of these program steps can be deduced. One or more clock pulses are required to perform one arithmetic cycle. The system for exchanging and comparing intermediate information represents an optimization between high computational speed and possible gap-free monitoring.

Advantageously, the intermediate information itself and/or its time of arrival are compared with a target value.

This measure allows two mutually independent tests to be carried out, thus improving the fault detection capability. In this case, for example, it is conceivable that a time lag that has already occurred during the program sequence of the computer causes a failure of the intermediate information itself for the first time in a subsequent cycle due to a synchronization failure. Such failure cases can be corrected early in the embodiments of the present invention. In this way, the data processing capacity of the compound computer device is increased.

There are many ways to control a calculator for error correction. For example, all participating computers can be reset if a deviation is detected. This is the simplest method, because in this method,
Although the computer with the deviation and the computer that detected the deviation are not distinguished.

In another method, if a deviation is detected,
Either the computer in which the deviation occurred is reset and all other computers are initialized, or only the computer that detected the deviation is initialized and all other computers are reset.

Assuming that only the computer in which the deviation occurred is affected by a fault, and the computer in which the fault was detected is not, the latter computer does not need to repeat the arithmetic cycle that was previously performed without any problem.

By initialization, such a calculator is set in a state of operation to a calculation cycle that can be selected in advance. This starts the program (this is equivalent to a reset)
It may be one of the preceding operation cycles. The initialized computer waits until the program sequence of the computer in which the deviation occurred has progressed to the point where all computers can continue the program.

In one embodiment, the participating computers are reset or initialized directly by the computer that detected the deviation.

This method ensures that the computer is corrected as early as possible and that the usability of the complex computer system is therefore as high as possible. Furthermore, this method allows for a suitable implementation, since an implementation that requires no circuit engineering outlay can be carried out by means of additional program instructions.

Intermediate information signals can be transmitted serially and/or in parallel.

The various methods mentioned above have different effects on the circuit engineering costs and the intermediate information signal transmission speed. In the case of serial transmission, it is also possible to use existing data lines together. However, in this case the time available for the actual calculation cycle is reduced. Parallel transmission is expensive and involves many wires and plug connections, making it susceptible to failure. However, parallel transmission reduces the time required for transmission and testing to such an extent that computational speed is not substantially reduced. The combination of both methods increases the overall cost and the fault detection capability, since the intermediate information signal can be generated and transmitted in two ways.

In a further embodiment, the intermediate information signal can be formed from intermediate results of the arithmetic operation and/or status signals of the arithmetic program.

Status information as intermediate information already provides a reliable basis for fault detection, since disturbances usually cause disturbances in the program sequence that affect the status information.

When intermediate results of arithmetic operations are used as failure criteria, data errors can also be detected in addition to status errors. However, in this case, data parallel processing may be required (such data parallel processing is costly).

Another method involves testing the probability of intermediate results of arithmetic operations (such probability testing is relatively inexpensive).

The combination of the above two criteria (although the cost will be higher)
Improve fault detection ability.

Preferably, the intermediate information is formed by the quotient of the end address of the arithmetic program divided by the start address.

This method allows intermediate information to be generated simply and with the possibility of confusion being reliably eliminated. Since the number of possible deformations is large, the probability that a fault cannot be detected because the intermediate result is unambiguous is small.

Alternatively or additionally, the intermediate information can be generated by static and/or dynamic potential changes.

Although it is easy to form intermediate information from only potential changes, it is not a method (at present) to reliably detect faults. However, in combination with the above-mentioned means, the fault detection ability can be improved.

Furthermore, the present invention relates to a complex computer device (for example, for use in vehicle safety devices such as anti-lock systems, airbags, safety belts, etc.) consisting of at least two computers connected and synchronized with each other via data lines and/or control lines. .

In this regard, the problem underlying the invention is to detect faults at an early stage, to avoid damage caused by faults, and to correct the errors that have occurred in such a way that the subsequent operation of the computer is as unimpaired as possible. The purpose is to provide a compound computer device.

The above problem is solved by the multifunction computer device described in the characterizing part of claim 12. By configuring the computers as intermediate information signal generators, a prerequisite is created for the operation of each computer to be monitored at short time intervals (as is the case only for the output of the final result) by the other computers. It is formed. The interval at which the intermediate information signals are generated is adjusted in accordance with the frequency of comparison of the intermediate information with the target value (which is necessary to reliably prevent damage caused by disturbances and reliably correct errors). In this case, an optimization is made between the highest possible calculation speed and the highest possible comparison frequency.

There are various ways to generate intermediate information signals.

It is also possible to output intermediate results of arithmetic operations. It is also possible to perform control calculations using known quantities and form the results as intermediate information signals.

It is also possible to obtain status information regarding each processed program step of a computing program.

In this case too, the status information can be used directly or encoded. For example, many single pieces of information can be converted into encoded status information by arithmetic operations.

The formation of intermediate information for transmission to other computers depends on whether data transmission is carried out in series, in parallel, or in a combination of series and parallel.

In a further embodiment, the computer is configured as a setpoint value generator, so that it forms its own intermediate information and uses this as a setpoint value in the form of a reference signal for comparison with the received intermediate information signal. can do. The setpoint value can then be formed in the same way as the intermediate information signal or in a different way. Forming in different ways may improve the fault detection ability, since the signal changes due to disturbances are of the same form and these signal forms cancel each other out when comparing the intermediate information with the target value.

By configuring the computer as a comparator, the signal obtained as a result of the comparison between the intermediate information and the target value can be used at the same time to control the computer. In this way, immediately after a fault has been detected, measures can be taken to prevent damage caused by the fault and to correct the error. Data processing can continue as early as possible while providing rapid error correction, thereby eliminating gaps. In this case, appropriate control can be provided by a control signal generator connected to the comparator.

The aforementioned functions can also be performed by fixedly connected functional blocks in the computer. However, in terms of cost and space, it is possible to realize the above-mentioned functions in the form of an arithmetic program and process this arithmetic program with the equipment originally provided for data processing.

In a further advantageous embodiment of the invention, each computer is provided with a memory for buffering intermediate information signals supplied by other computers for comparison with its own target value.

In this embodiment, the intermediate information signals are transmitted in series, thus ensuring that in the case of more than two calculators, the intermediate information formed by all these calculations is used in the comparison with the target value. be able to. Furthermore, the formation of the setpoint value can be carried out temporally offset from the formation of the intermediate information signal. In this way, the probability that only one of these operations is impaired in the event of a failure is reduced.

Preferably, the setpoint value generator includes a timing mark generator.

Additional checks can be performed by generating timing mark signals. In this way, the intermediate information itself and its time of arrival can be monitored.

In a further embodiment, the control input of each control signal generator is connected to the reset input and/or the initialization input of the remaining computers.

In this way, computers with deviations and computers without deviations can be distinguished for the purpose of error correction. In this way, a non-deviating calculator can, for example, be set to a different nologram status than at the start of the program. This measure increases the reliability of the operation of complex computing devices (in that the effects of faults occurring during subsequent operations are avoided on these computing devices).

In another embodiment, the computer is connected to a bidirectional control line. In another embodiment, the control line and the data line are configured as a common line.

These measures shorten the overall length of the lines between the individual computers and thus reduce the size of the equipment and reduce interference.

Effects of the Invention According to the present invention, failures can be detected at an early stage and damages caused by failures can be avoided, and the error correction of the present invention is carried out in such a way that the subsequent operation of the computer is not impaired as much as possible.

Embodiment Computers A, B, and C in the compound computer system shown in FIG.
6, 18, and 20. Within the frame in the figure, the functional groups that perform monitoring and correction functions are as follows:
Illustrated by blocks connected to each other.

These blocks can actually be realized as discrete units, and can also be realized in the form of an arithmetic program using a computer. The functional blocks in this case are all six computers A, B.

Equal at C.

Computers A, B, and C each have an intermediate information signal generator 22
, the target value generator 24 (the target value generator 24 is equipped with a timing mark generator 32), and its own target value,
A comparator 26 for comparing intermediate information of other computers A, B, and C, and a control signal generator 28 (the control signal generator 28 is used for controlling itself and controlling other computers A, B, and C). 1), a memory 30, and an arithmetic unit 50 for actual data processing.

Each intermediate information signal generator 22 is a computer A, B.

In this way, each intermediate information signal generator 22 generates intermediate information from the data related to the program sequence. One output of each intermediate information signal generator 28 is connected to one of the data lines 10, 12, 14, which are connected to the memories 30 of the other computers A, B, C. is connected to the input side of the

The transmitted and received intermediate information signals are buffered in memory 30 and subsequently supplied to comparator 26 for comparison with a target value. Correspondingly, one output of each memory 300 is connected to one of the inputs of the corresponding comparator 30. The other input of each comparator 26 is connected to one output of the corresponding setpoint value generator 24 .

The setpoint value generator 24 supplies the comparator 26 with both fixed setpoint values and setpoint values that are controlled as a function of the program steps. In order to form this latter setpoint value, one input of the setpoint value generator 24 is connected to one output of an arithmetic unit 50 and in this way the setpoint value 24 is transferred via the arithmetic unit 50 to the data relating to the program sequence. is supplied.

A timing mark generator 32 provided in the setpoint value generator 24 generates a timing mark signal, and in this way, in addition to checking the °C intermediate information, the arrival time of the intermediate information is monitored. For this purpose, the structure of the memory 30 is such that it can also store reception time information of the intermediate information signal. One output of the comparator 26 is connected to one input of the control signal generator 28, so that the control signal can be generated in a shifted manner if the intermediate information is offset by the timing mark. These signals are taken from the output sides 34 and 36, i.e. the reset signal is taken from the output side 34 and the initialization signal from the output side 34.
6.

The reset signal is supplied via one of the control lines 16, 18, 20 to the reset input 38 of the remaining computers;
The initialization signal is supplied to the initialization input 40 of each computing device 50 via one downstream line.

In order to reduce the number of control lines, an external logic coupling circuit 42 is provided between the control output 34 and the reset input 38, which logic coupling circuit 42 supplies computer control signals to the respective control lines 44. .

A configuration that further reduces the control lines is shown in FIG. In the figure, the control line is configured as a bidirectional control edge 46.

The data exchange of intermediate information takes place in this embodiment via a bidirectional line 48.

During the operation of the computers A, B, C, intermediate information is generated in the intermediate information signal generator 22 at predetermined intervals from the data of the program sequence of the arithmetic unit 50, and is transmitted to the other computers A, B.

C via data lines 10, 12, and 14. In this embodiment, status information formed by the quotient obtained by dividing the end address of an arithmetic program by the start address is handled.

Status information generated by computer A is supplied to computers B and C, status information generated by computer B is supplied to computers A and C, and status information generated by computer C is supplied to computers A and B. Ru. In this case, the status information and its arrival time are stored. Simultaneously with the transmission of the status information or at a time lag, setpoint values for the computer (preferably also status information) are generated by a setpoint value generator. The own target value and the status information from the outside are compared by the respective comparators 26 of each computer A, B, and C.

If the comparison result shows that the target value matches the status information from the outside, the control signal generator 28 is not excited and the computer continues the program at the calculation cycle described later. In the normal case, this behavior is based on a previously given number of (
repeated at the end of each computation cycle (monitored).

If one of the computers A, B, C, e.g. A, is disturbed by a disturbance (e.g. switching pulse) and skips one grogram step, the next status information transmitted from computer A is the target value. deviate from Due to this difference, the comparator 26 excites the control signal generator 28 in one of the two computers B and C to initialize itself, and the other one
Reset one calculator. If this deviation is first detected by the comparator 26 of computer B, computers A and C are reset and computer B is initialized.

Subsequently, computers A and C execute the arithmetic program again from the beginning. The operation of computer B depends on which program status computer B is initialized to.

This program status may be a program start, but it may also be another program status obtained in an already executed calculation program portion.

For example, in the case of a program status after the first calculation cycle, the computer will not be able to run the subsequent A calculation cycle is performed together with computers A and C. Next, the time course of this operation (limited to a compound computer system consisting of two computers) will be explained based on FIG. In the diagram of FIG. 3, the calculation cycle, the transmission of the intermediate information signal, and the comparison of the intermediate information and the target value are shown.

Since it is assumed that the two computers A and B are synchronized, the corresponding time slots are shown one above the other. The Tanuni time axis, which explains the operation in many calculation cycles, has six time windows a, b, c,
d, e.

It is divided into f. One or more computational cycles occur in each time window to be monitored. Such a cycle takes up the largest time slot 52. The ordinal number n of each calculation cycle is indicated numerically in relation to n.

Program status is indicated by a number alone (such number is the program address e[was). In addition to the aforementioned calculation cycles, time slots 54 for transmission and reception of intermediate information and time slots 56 for comparison of intermediate information with target values are shown.

In each calculation cycle, an intermediate information signal is first transmitted and then the intermediate information is compared with a setpoint value. A new calculation cycle then begins again.

The arrow indicates the direction of transmission of the intermediate information signal.

It is assumed that two computers A and B start operating at the same time as the program starts. When the calculation period n=1 ends at time point a, intermediate information is exchanged and compared with the target value, and coincidence of the target values is detected.

In time window b, calculation cycles n=2 are performed. At this time, computer A suffers from a failure, and an erroneous intermediate information signal is transmitted to computer B.

Computer B detects the deviation in time slot 56 of time window b and resets computer A and resets itself to the program status after the first calculation cycle. Computer A remains in this number 1 program status, whereas calculation @A again starts the first operation cycle n.
=1. During this time slot 52 in time window C, computer A is again impaired. In this case, the intermediate information is correct as such, but is transmitted with a delay (this is illustrated by time slot 56 in time window C). At time slot 56 in time window C, computer B detects this deviation and resets computer A again. It is after the first calculation cycle that computer B reinitializes itself to the program status of number 1.

In time slot d, the calculation cycle proceeds without any interference from computer A. When they mutually check the intermediate information of the other party and find that the intermediate information of both agrees with the target value, both computers continue to perform the next calculation cycle n =
2 and n=3 (this is shown in time windows e and f).

[Brief explanation of the drawing]

FIG. 1 is a block circuit diagram of one complex computer system consisting of six computers. FIG. 2 is a block diagram of one embodiment of the invention. FIG. 6 is a diagram showing temporal changes in transmission of intermediate information signals and comparison of intermediate information signals with target values in a compound computer system consisting of two computers. 10.12.14...Data line, 16,18°20.
...Control line, 24...Target value generator, 26...Comparator, 28...Control signal generator, 30...Memory, 32...Timing mark generator, 38...Reset input side, 40...Initialization input side, 42...Logic coupling circuit, 44...Control line, 46.48...Bidirectional control line, a, b, c, d, e, f-time Wintou,
n...Arithmetic cycle. Fig, 2 Fig, 3

Claims (18)

[Claims] 1. A method for monitoring operation and correcting errors of computers in a compound computer device for in-vehicle safety devices such as anti-lock devices, airbags, safety belts, etc., wherein the computers are connected and synchronized with each other via data lines and control lines. In a computer operation monitoring and error correction method, each of the participating computers generates an intermediate information signal at predetermined intervals, said intermediate signal being supplied to the other computers and said other computers' A compound computer device characterized in that when a deviation is detected by comparison with a target value, a subsequent calculation cycle is suppressed, and one of the preceding calculation cycles is repeated by at least the computer with the deviation. How to monitor computer operation and correct errors. 2. An arithmetic cycle is the smallest unit program step in which intermediate information is changed, and after a previously given number of arithmetic cycles have been performed, the intermediate information is transmitted and received in a first time slot, and the subsequent 2. A computer operation monitoring and error correction method for a multifunction computer device according to claim 1, wherein the computer operation monitoring and error correction method is written in the second time slot of the multifunction computer device and compared with its own target value. 3. 4. A computer operation monitoring and error correction method of a multifunction computer device according to claim 1 or 3, wherein the intermediate information itself and/or its arrival time are compared with a target value. 4. Any one of claims 1 to 3, wherein if a deviation is detected, all involved computers are reset and the preceding calculation cycle is repeated.
A method for monitoring the operation of a computer in a compound computer device and correcting errors as described in Section 1. 5. The compound computer according to any one of claims 1 to 3, wherein when a deviation is detected, the computer with the deviation is reset and all other computers are initialized. How to monitor the operation of the equipment's computer and correct errors. 6. According to any one of claims 1 to 6, when a deviation is detected, only the computer that detected the deviation is initialized and all other computers are reset. A method for monitoring the operation of a computer in a compound computer device and correcting errors. 7. A computer in a multifunction computer device according to any one of claims 4 to 6, wherein the computer involved is directly reset or initialized by the computer that detected the deviation. operation monitoring and error correction methods. 8. A computer operation monitoring and error correction method for a multifunction computer device according to any one of claims 1 to 7, wherein intermediate information is transmitted serially and/or in parallel. 9. A computer of a compound computer device according to any one of claims 1 to 8, wherein the intermediate information is formed from intermediate results of computer calculations and/or status information of a calculation program. Operation monitoring and error correction methods. 10. 10. The computer operation monitoring and error correction method of a multifunction computer device according to claim 9, wherein the intermediate information is formed by the quotient obtained by dividing the end address of the arithmetic program by the start address. 11. A compound computing device according to any one of claims 1 to 10, wherein the intermediate information is alternatively or additionally formed by static and/or dynamic potential changes. How to monitor computer operation and correct errors. 12. For example, it is used in in-vehicle safety devices such as anti-lock systems, airbags, safety belts, etc., and data lines (10,
12, 14) and/or control lines (16, 18, 20) and are synchronized with each other, in a compound computer system consisting of at least two computers (A, B, C), the participating computers ( A, B, C) each includes an intermediate information signal generator (22), a target value generator (24),
A comparator (26) that compares intermediate information of other calculators (A, B, C) with its own target value;
26) and connects itself and the other computers (A, B,
C) A control signal generator (28) for controlling. 13. Each computer (A, B, C) has one storage device (30
), and the storage device (30) includes other computers (A,
13. The compound computer device according to claim 12, wherein the intermediate information supplied from B and C) is buffered and stored for comparison with its own target value. 14. 14. The multifunction computer device according to claim 12, wherein the target value generator (24) includes a timing mark generator (32). 15. The control output side (34,
36) is connected to the reset input side (38) and/or initialization input side (40) of other computers (A, B, C) according to any one of claims 12 to 14. The compound computer device according to item 1. 16. A logic coupling circuit (42) is provided to connect other computers (A,
Claims 12 to 1, in which the control input sides (34) of B and C) are each connected to one control line (44).
The compound computer device according to any one of Item 5. 17. Connect the computer (A, B, C) to the bidirectional control line (46)
A compound computer device according to any one of claims 12 to 15, which are connected to each other via. 18. 16. The compound computer device according to claim 12, wherein the computers (A, B, C) are connected to each other via a common line for control signal and/or data communication.